Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
FlavioB
New Contributor III

Created on ‎10-10-2011 04:16 AM

VPN in Failover configuration?

Hello everybody. I' ve set up a Fortigate 60C with Internet link on WAN1. On this link, I' m also doing an IPSec VPN tunnel to an other FGT60C (remote office). Now I have a second line, which I want to use as a failover (on WAN2). What I should configure is to have the same policies applied to WAN2, set the routing priorities and configure a ping host. But what do I have to do for the VPN to go up again when WAN1 would be down and WAN2 would become the main outgoing link? As far as I' ve seen, the VPN Phase 1 is bound to one interface only... Thanks in advance and kind regards, F.
4127
0 Kudos
5 REPLIES 5
emnoc
Esteemed Contributor III

Created on ‎10-10-2011 06:19 AM

The easy fix, would be to built 2 VPN tunnels with static routes and in interface route mode. Then yo can run both tunnels, just set the route priorities (distance) for the on side that you prefer and the correct fwpolicies. Make sure DPD is enable and have at it. With the fortigate, you can also run a dynamic routing protocol if so desired, but that would be more work. Good luck

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
3008
0 Kudos
FlavioB
New Contributor III

Created on ‎10-10-2011 06:23 AM

Hello emnoc. I' ve just been thinking about the same procedure: always have 2 open VPN tunnels (one on WAN1, one on WAN2) and simply have traffic being prioritised to go through the main (WAN1) link when up. One last question: what happens to running sessions in the VPN tunnel, when a WAN-Failover event would occur? Would they be cut-off? Thanks, F.
3008
0 Kudos
ede_pfau
SuperUser
SuperUser

Created on ‎10-10-2011 06:34 AM

Hi, have a look at the chapter " Redundant VPN connections" in the FortiOS Handbook, or the IPSec Guide. With a parameter that you set via CLI you can instruct a backup VPN to monitor the primary VPN, and step in if the primary fails (for whatever reasons, not only line failure).
Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
3008
0 Kudos
emnoc
Esteemed Contributor III

Created on ‎10-10-2011 08:54 AM

What ede is refering to is the set monitor-phase1, this is similar to the juniper vpnmonitor feature. On the questions about the session states, I would assume since the sessions are already in the table, they would continue on. But when you build your redundant vpn tunnels, you can test this to see if it' s true.

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
3008
0 Kudos
ede_pfau
SuperUser
SuperUser

Created on ‎10-10-2011 09:28 AM

I disagree here. I think the design and intention of an IPSec tunnel is such that if a tunnel is going down all sessions across this tunnel are terminated instantly. If (by a redundant setup) a backup tunnel is built up then new sessions have to be established as sessions are tied to interfaces in the session table. I' d recommend to configure the tunnels to re-establish automatically (a phase1 parameter) instead of the regular traffic-driven build-up.
Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
3008
0 Kudos
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.